1. Field of the Invention
The invention relates to vehicle network system in which a plurality of electronic control units installed on a vehicle are network-connected to each other and exchange information.
2. Description of Related Art
By connecting a plurality of electronic control units (ECUs) installed on a vehicle to each other via network, it is possible to configure a vehicle network system that will enable the exchange of information (vehicle information) possessed by the ECUs. In such vehicle network system, vehicle information usually can be easily exchanged between the network-connected ECUs. Meanwhile, it is also easy to detach, by mistake or intentionally, a device connected to the network or attach, by mistake or intentionally, a device to the network. Thus, where a device is unexpectedly detached from the network or an unanticipated device is attached to the network, unauthorized access to the network can occur or the exchange of vehicle information can be affected. Accordingly, Japanese Patent Application Publication No. 2005-1534 (JP 2005-1534 A) describes an example of a system that can be adapted to the case where an ECU constituting a vehicle network system is removed by detachment or the like.
In the system described in JP 2005-1534 A, a vehicle network system is assumed in which, for example, a communication ECU, an engine ECU, a car navigation ECU, and an air conditioner ECU are communicatively connected to each other by a network (communication lines). Because of connection recognition performed by each. ECU in such system, when connection with any ECU (installed device) is detected to be abnormal, the operation of this device or other ECU (installed device) is stopped. Thus, when any installed device is detached from the vehicle, other installed devices are prevented from operating normally as a device group. As a result, an unauthorized action including the detachment of devices, that is, the vehicle theft in this case, is effectively prevented.
Thus, the system described in JP 2005-1534 A can be adapted to the case where a device is detached, but can not be necessarily adapted adequately to the case in which an unauthorized device is added. Therefore, the system cannot ensure security against frequent unauthorized access associated with the addition of devices, such as replay attack in which aliases generated by an unauthorized use of normal signals that have been transmitted to the network are transmitted to the network.
For example, in a control area network (CAN), which is often used as a vehicle network, a transmitting device transmits signals assigned with an identifier (CAN ID) that has been allocated to the transmitting device, and a receiving device determines the device that has transmitted the signal and the contents of the signal on the basis of the identifier added to the signal. In a case where a transmission signal TD110 including an identifier “XX” and data “123 . . . ” is outputted from an ECU_A110 as a transmitting device to a network 120, as shown in FIG. 12A, an ECU_B111, an ECU_C112, and an ECU_N113 are function as receiving devices usually obtain reception signals RD111 to RD113 including the identifier “XX” and data “123 . . . ” that are based on the transmission signal TD110. Meanwhile, where a improper ECU_A130 is connected to a network system 100, as shown in FIG. 12B, the improper ECU_A130 can output a transmission signal TD130 including improper data “999 . . . ” by using the identifier “XX” used by the ECU_A110, which is a normal transmitting device. As a result, the ECU_B111, ECU_C112, and ECU_N113 obtain reception signals RD131 to RD133 including the identifier “XX” and improper data “999 . . . ”. In this case, although the transmission signal is that of the improper ECU_A130, the ECU_B111, ECU_C112, and ECU_N113 determine that this signal is from the ECU_A110 and perform processing based on the improper data. Thus, by an unauthorized access to the network system 100 constituted by the CAN, the improper ECU_A130 can pretend to be the normal ECU_A110, and following recent progress in the field of networking, this also becomes a problem for vehicles.
In a system with high processing capacity of devices or high data transfer capacity of the network, an unauthorized access can be apparently prevented by using a high-level encryption protocol, such as Secure Socket Layer (SSL), that performs encryption each time a signal is transmitted and received, but since high-load computations are required for processing of the high-level encryption protocol, it is unrealistic to use a protocol requiring such high-load computations in a vehicle network system in which computation capacity and data transfer capacity are reduced a necessary minimum limit.